a blog by Sander Berkouwer

As announced on July 25, today, Microsoft’s new Microsoft Authenticator app replaces both its Azure Authenticator and Microsoft Account app as the one easy-to-use app for all your multi-factor authentication needs.

Now, I’m not sure whether Microsoft will use the above slogan for the app, but to me it sums up what this new app offers.

Being involved in several Azure Multi-Factor Authentication projects, I’ve been deploying and using the Azure Authenticator app (and its predecessor, the Multi-Factor Auth app) to Windows Phone, iOS an Android-based devices in the past couple of years. Additionally, Dave looked at using the Microsoft Authenticator Windows Phone app with Google back in 2013. Yes, it was named the Microsoft Authenticator app, back in those days, too. That’s OK, because Nokia will soon be making mobile phones too and come full circle again, too…

People using the Azure Authenticator app on Windows Phone, iOS an Android-based devices, will be automatically upgraded to the new Microsoft Authenticator app, starting today. Existing accounts, already configured in existing Azure Authenticator installations will be upgraded automatically. Users of the Microsoft account app for Android will receive a prompt to download the new app.

What’s New

One app for both Azure MFA and Microsoft Accounts

With the new Microsoft Authenticator, Microsoft combines multi-factor authentication for both Azure-based accounts (OrgIDs) and Microsoft Accounts (MSAs) into one app, that supports enterprise and consumer scenarios. Next to these two types of Microsoft accounts, the Microsoft Authenticator supports any service that works with OATH-based one-time passcodes, just as the old Azure Authenticator did (and the old Microsoft Authenticator before it) to allow you to use one app for all your Microsoft, Facebook and Google multi-factor authentication needs.

Push notifications

To make authentication as easy as possible, you only need to click the “approve” button in the push notification triggered by Microsoft Authenticator on your mobile device to complete the login. (And in most cases, you won’t even need to open the app to complete the approval.)

Support for wearables.

You can use an Apple Watch or Samsung Gear device to approve multi-factor authentication challenges.

Note:
Android Wear-based devices and Microsoft’s own band are currently not supported for this scenario.

Finger prints instead of passcodes

Microsoft added support for fingerprint-based approvals on both iPhones and Android-based devices.

Azure Multi-Factor Authentication allows organizations to require a PIN in addition to having possession of their registered device. With this new feature, iOS and Android users with devices supporting TouchID or Android 6.0+ Fingerprint Authentication, won’t need to enter the PIN anymore. Once set up, users just scan their fingerprint instead of entering PIN and tapping Approve.

Note:
The Microsoft Authenticator app, currently, does not support Microsoft Hello on Windows Phone-based mobile devices, like to Lumia 950.

Certificate-based authentication

The Microsoft Authenticator app adds support for enterprise customers to sign in through certificates instead of passwords using certificate-based authentication.

This way, supported Exchange ActiveSync mobile apps on iOS 9+ and Android L+-based devices can perform single sign-on (SSO) certificate-based authentication from the mobile device’s keychain to Exchange Online web-based resources, for both managed and federated Azure AD domains. In federated Azure AD domains, Office applications on iOS 9+ and Android L+ can perform certificate-based authentication against the federation server. The above features were announced in public preview and described in more detail on July 18. A detailed HowTo for deploying certificate-based authentication was posted on July 19.

Rapid Release Cycle

Microsoft is expecting to deliver new improvements at a very rapid pace.

Archives

Categories

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.